ARP-spoofing defense

Corey Edwards <tensai at zmonkey.org> writes:
> It's vulnerable to a non-ssl attack. Swap out the https login URL for
> one of your own devising. Then simply proxy all the https info to the
> user over your spoofed http connection. It would work against anybody
> who doesn't verify the cute little lock icon. Or use a self-signed cert
> and hope to catch somebody who would ignore the error, as most people
> would.
I never said it was totally secure, just that it wasn't vulnerable to
the particular attack. At least your version of an attack has several
(perhaps inconspicuous and oft-ignored) roadblocks that must be
ignored before it works.
--Levi